Lessons In Cybersecurity From Protecting Grandma And Grandpa

 

A recent Wall Street Journal (WSJ) piece, "Hackers are targeting eldercare homes" (link here behind paywall), described successful cyberattacks against assisted living facilities. Anyone with a loved one in one of these facilities knows that, to put it bluntly, elderly people are bad at updating their security settings. 

What lessons can be drawn for CISOs and CIOs of any organization? Pythia Cybersecurity co-founder John Sebes had these thoughts about the WSJ piece and its implications. His conclusion: you have more to learn from these attacks than you think you do; will you learn anything?

John's take:

The elder-care services sector is the latest business sector that's being targeted by cyber-criminals, and reported on by new media including the WSJ. But both experience of the attacked businesses and the news commentary on them hold valuable lessons for any business that might need a cybersecurity upgrade.

Like many organizations, all the attacked businesses turned out to have been in real need of a cyber-security upgrade because of the two most common reasons: the external threat environment has evolved to be more threatening, and the business's operations have evolved to be at more risk. It's a combination faced by almost any organization: with the exceptions of organizations that have recently completed a periodic cybersecurity re-assessment and tune-up, nearly every organization needs to re-assess their cybersecurity.

Many of the characteristics of these elder-care facilities are common to a wide range of organizations. Perhaps the most telling, and common, is a serious mistaken assumption by the organization's leaders: that they know how to assess the motivations of cyber-criminals, and have decided that their organization is not a likely target. In fact, the scope and scale of cyber-crime teams' abilities have grown (that's part of the changed external threat environment) so that a very wide range of organizations are attractive targets, both in terms of data to steal and abuse, and in terms of relatively weak cyber-defenses. As a result, any corporate leader who thinks "we're not a likely target, and we don't have and can't get strong cyber-security anyway" is setting themselves up for the kind of rude awakening that many elder-care organizations have had.

For almost all business, all three of these related assumptions are false: cyber-attack won't happen to them, it's a future issue, and in the present there's nothing to do that feasible because better cyber-security is expensive of beyond the company's abilities.

It fact, every company has the ability to work on the low hanging fruit of a cyber-security upgrade. What would that be? The recently report experiences of elder care companies is a good guide: they needed to better identify their internal resources (include both data and people) that are at risk, what business consequences could result from cyber-attack, and how to prepare for an attack and respond to it. No set of assessment and preparations is going to prevent all cyber-security problems. But doing little or nothing, not addressing the low hanging fruit, is a guarantee that that unknown risk and business impact will continue to lurk.